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1 . (currently amended) In a distributed network having a number of server computers and 
associated client devices, a network virus defense system, comprising: 

a network virus/worm sensor operable in a number of modes arranged to detect a 
computer virus or a computer worm in the network such that the bandwidth of the network is 
substantially unaffected in a first mode in that data packets are not removed from or added to 
network traffic, but are copied, and wherein when the virus sensor detects the computer virus, the 
virus sensor switches to a second mode, wherein the data packets are not copied and wherein a 
subset of data packets determined to be infected or suspected of being infected are not returned 
to the network; 

a network virus sensor self registration module coupled to the network virus/worm sensor 
ged to automatically self register the associated network vims/worm sensor 

controller storing a rules engine used to store and source a plurality of detection rules 
for detecting computer viruses and worms and using statistical results of observed abnorm al 
gyjate ^ recorded apd monitored b y » virus monitor, the abnormal grgntg define d in policies and 
thg pinralitv of d^tin. ^ in th e yjrus monitor, and wherein the virus monitor gengrfflgj an 
a bnormal hehaviP - ~ y«« which is e yaiuatgd hv a server which determines an action to perform; 

u ^uivu iui v\ h mini: ■»!! r """ lmnwi ****** ™* "" ,r ' " i " ' f " " ™ baQauem 1v 

analyr. e d t and 

an anti-virus agent creation module arranged to create an anti-virus agent or create a . 
detection module, an infection module and a payload. 
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2. (original) A system as recited in claim I , wherein during an initialization 
phase of the network virus/worm sensor, the network virus/worm self registration module 
collects selected network environmental information and network configuration information. 

3. (previously amended) A system as recited in claim 2, wherein when the 
distributed network is an IP based type network, the selected network environmental information 
includes an IP address for all of the relevant client devices included in the IP-based type 
network. 

4. (original) A system s recited in claim 3, wherein the network configuration 
information includes self configuration information related to an appropriate IP address for the 
network virus/worm sensor. 

5. (original) A system as recited in claim 4, wherein the network configuration 
information includes locations of all relevant server computers. 

6. (original) A system as recited in claim 5, wherein selected ones of the 
relevant server computers are identified as controllers. 

7. (original) A system as recited in claim 6, wherein each of the identified 
controllers includes a rules engine used to store and source a plurality of detection rules for 
detecting computer viruses and worms and an outbreak prevention policy (OPP) distribution and 
execution engine that provides a set of anti-virus policies, protocols, and procedures suitable for 
use by a system administrator for both preventing viral outbreaks and repairing any subsequent 
damage caused by a viral outbreak. 
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8. (original) A system as recited in claim 7, wherein during the initialization 
phase, each of the rules engines associated with each of the identified controllers are updated 
with a set of detection rules for detecting computer viruses and worms. 

9. (original) A system as recited in claim 7, wherein during ihe initialization 
phase, each of the outbreak prevention policy distribuiion and execution engines associated with 
each of the identified controllers are updated with a set of anti- virus policies, a set of anti-viius 
protocols, and a set of anti-virus procedures. 

10. (previously amended) A system as recited in claim 1, wherein in a first mode the 
bandwidth of the network is substantially unaffected'by the network virus/monitor sensor, the 
network virus/monitor sensor not removing or adding network traffic but copying data packets, 
and wherein when the network virus/worm sensor detects a computer virus or a computer worm, 
the virus/worm sensor switches to a second mode such that only those data packets infected by 
the computer virus are not returned to the network. 



4 



PAGE 6/13 * RCVD AT 6/4/2007 5:21 :04 PM [Eastern Daylight Time] ' SVR: USPTO-EFXRF-2/7 ' DN!S:2738300 * CSID:612 825 6304 * DURATION (mm-ss):03-18 



JUN-04-2007 15:27 FROM-BEYER WEAVER THOMAS 612-825-6304 T-012 P. 007/013 F-244 

11. (currently amended) In a distributed network having a number of serveT 
computers and associated client devices and a network virus/monitor sensor operable in a 
number of modes, a method of self registering a network virus defense system comprising : 

detecting a computer virus or a computer worm in the network such that bandwidth of the 
network is substantially unaffected in a first mode in that data packets are not removed from or 
added to network Traffic, but are copied, and wherein when the virus sensor detects the computer 
virus, the virus sensor switches to a second mode, wherein the data packets are not copied and 
wherein a subset of data packets determined to be infected or suspected of being infected are not 

returned to the network , 

automatically self registering the sensor by a network virus sensor self registration 

module coupled 10 the schsot; 

storing a rules engine used to store and source a plurality of detection rules from 
detecting computer viruses and worms and using statistical results of oh^rved abnormal everts 
warded, and Stored b v » virus monjtQL the abnormal events defined in policies and the 

plr - MtY oXd^teetipn rules i r th ug monitor, and wherein The virus Traitor penerates an 

^-^.i behavior renort w hich fa evaluated hv a server which determine an action to perftnm 
providing virus cleaning agents from known viruses and unknown viruses subsequently 
analyzed; and 

creating a detection module that detects whether a client device is infected with a virus 
and triggers the introduction of an anti-virus infection module SO that the virus in the client 
device is overwritten and an ami-virus agent payload created based on features of the selected 
computer virus and performs as a cleaning/repairing payload capable of cleaning and repairing 
damage done to the client device. 
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12. (previously amended) A method as recited in claim 11, mrxher comprising: 
during an initialization phase of the network virus/worm sensor, collecting selected 

network environmental information and network configuration information by the network 
virus/worm self registration module. 

13. (previously amended) A method as recited in claim 12, wherein when the 
distributed network is an TP based type network, the selected network environmental information 
includes an IP address for all of the relevant client devices included in the IP-based type 
network. 

14. (original) a method as recited in claim 13, wherein the network 
configuration information includes self configuration information related to an appropriate IP 
address for the network virus/worm sensor. 

15. (original) A method as recited in claim 14, wherein the network 
configuration information includes locations of all relevant server computers. 

1 6. (original) A method as recited in claim 1 5, wherein selected ones of the 
relevant server computers are identified as controllers. 

17. (previously amended) A method as recited in claim 16, wherein each of the 
identified controllers includes a rules engine used to store and source a plurality of detection 
rules for detecting computer viruses and worms and an outbreak prevention policy (OPP) 
distribution and execution engine that provides a set of anti-virus policies, protocols, and 
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procedures suitable for use by a system administrator for both preventing viral outbreaks and 
repairing any subsequent damage caused by a viral outbreak. 

1 8. (original) A method as recited in claim 1 7, further comprising: 
during the initialization phase, 

updating each of the rules engines associated with each of the identified controllers with a 
set of detection rules for detecting computer viruses and worms. 

1 9. (original) A method as recited in claim 1 7, further comprising: 
during die initialization phase, 

updating each of the outbreak prevention policy distribution and execution engines 
associated with each of the identified controllers with a set of anti-virus policies, a set of anti- 
vims protocols, and a set of anti-virus procedures. 

20- (previously amended) A method as recited in claim 10, wherein in a first mode 
the bandwidth of the network is substantially unaffected by the network vims/monitor sensor, the 
network virus/monitor sensor not removing or adding network traffic but copying data packets, 
and wherein when the network virus/worm sensor detects a computer virus or a computer worm, 
the virus/worm sensor switches to a second mode such that only those data packets infected by 
the computer virus are not returned to the network. 
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21 (original) In a distributed network having a number of server computers and 
associated client devices, computer program product for self registering a network virus defense 
system, that includes a network virus/worm sensor operable in a number of modes arranged to 
detect a computer virus or a computer worm in the network, comprising: 

computer code for automatically self registering the associated network virus/worm 
sensor by a network virus sensor self registration module coupled to the network virus/worm 
sensor; and 

computer readable medium for storing the computer code. 

22 (original) Computer program product as recited in claim 2 1 , further 
comprising: 

computer code for collecting selected network environmental information and network 
configuration information by the network virus/worm self registration module during an 
initialization phase. 

23. (original) Computer program product as recited in claim 22, wherein when 
the network is an IP based type network, the selected network environmental information 
includes an IP address for all of the relevant client devices included in the network. 

24. (original) Computer program product as recited in claim 23, wherein the 
network configuration information includes self configuration informaiion related to an 
appropriate IP address for the network virus/worm sensor. 

25 . (original) Computer program product as recited in claim 24, wherein the 
network configuration information includes locations of all relevant server computers. 
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26! (original) Computer program product as recited in claim 25, wherein selected 
ones of the relevant server computers are identified as controllers. 

27. (original) Computer program product as recited in claim 26, wherein each of 
the identified controllers includes a rules engine used to store and source a plurality of detection 
rules for detecting computer viruses and worms and an outbreak prevention policy (OPP) 
distribution and execution engine that provides a set of anti-virus policies, protocols, and 
procedures suitable for use by a system administrator for both preventing viral outbreaks and 
repairing any subsequent damage caused by a viral outbreak. 

28. (original) Computer program product as recited in claim 27, further 

comprising: 

during the initialization phase, 

updating each of the rules engines associated with each of the identified controllers with a 
set of detection rules for detecting computer viruses and worms. 

29. (original) Computer program product as recited in claim 27, further 
comprising: 

computer code for updating each of the outbreak prevention policy distribution and 
execution engines associated with each of the identified controllers with a set of anti-virus 
policies, a set of anti-virus protocols, and a set of anti-virus procedures during the initialization 
phase. 
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30. (previously amended) Computer program product as recited in claim 21, wherein 
in a first mode the bandwidth of the network is substantially unaffected by the network 
virus/monitor sensor, the network virus/monitor sensor not removing or adding network traffic 
but copying data packets, and wherein when the network vims/worm sensor detects a computer 
virus or a computer worm, the virus/worm sensor switches to a second mode such that only those 
data packets infected by the computer virus are not returned to the network. 
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